Move tests to /test

python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py

@@ -1,35 +0,0 @@
-from flask import request, Flask
-import ldap3
-
-app = Flask(__name__)
-
-
-@app.route("/normal")
-def normal():
-    """
-    A RemoteFlowSource is used directly as DN and search filter
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter)
-
-
-@app.route("/direct")
-def direct():
-    """
-    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(
-        unsafe_dn, unsafe_filter)
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py

@@ -1,43 +0,0 @@
-from flask import request, Flask
-import ldap3
-from ldap3.utils.dn import escape_rdn
-from ldap3.utils.conv import escape_filter_chars
-
-app = Flask(__name__)
-
-
-@app.route("/normal")
-def normal():
-    """
-    A RemoteFlowSource is sanitized and used as DN and search filter
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = escape_rdn(unsafe_dn)
-    safe_filter = escape_filter_chars(unsafe_filter)
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter)
-
-
-@app.route("/direct")
-def direct():
-    """
-    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = escape_rdn(unsafe_dn)
-    safe_filter = escape_filter_chars(unsafe_filter)
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True).search(
-        safe_dn, safe_filter)
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py

@@ -1,50 +0,0 @@
-from flask import request, Flask
-import ldap
-
-app = Flask(__name__)
-
-
-@app.route("/normal")
-def normal():
-    """
-    A RemoteFlowSource is used directly as DN and search filter
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
-
-
-@app.route("/direct")
-def direct():
-    """
-    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
-
-
-@app.route("/normal_argbyname")
-def normal_argbyname():
-    """
-    A RemoteFlowSource is used directly as DN and search filter, while the search filter is specified as
-    an argument by name
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, filterstr=unsafe_filter)
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py

@@ -1,61 +0,0 @@
-from flask import request, Flask
-import ldap
-import ldap.filter
-import ldap.dn
-
-app = Flask(__name__)
-
-
-@app.route("/normal")
-def normal():
-    """
-    A RemoteFlowSource is sanitized and used as DN and search filter
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
-
-
-@app.route("/direct")
-def direct():
-    """
-    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
-
-
-@app.route("/normal_argbyname")
-def normal_argbyname():
-    """
-    A RemoteFlowSource is sanitized and used as DN and search filter, while the search filter is specified as
-    an argument by name
-    """
-
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, filterstr=safe_filter)
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)